Email not included in idToken with scope user_

Mario_Calin_Sanchez · January 3, 2024, 12:14pm

Hi. I am having a problem when using oauth authorization. I need the email so I included the scope user:read:email but in the idToken that I receive there is no email whatsoever.

This is the URL (I omit sensitive data)
https://id.twitch.tv/oauth2/authorize?client_id=__&response_type=code&scope=openid+user%3Aread%3Aemail&nonce=___&display=page&redirect_uri=https___]

I get this response when I call the token url

{“access_token”:““,“expires_in”:15288,“id_token”:“ey—”,“refresh_token”:””,“scope”:[“openid”,“user:read:email”],“token_type”:“bearer”}

And the IdToken does not contain any email data. Only the preferred_username field is present.

BarryCarlyon · January 3, 2024, 12:18pm

This is correct

Token response onlt contains to the token data

There are no claims in your entry point so defualt claims occured.

You either need to:

adjust/add claims to entry to request the needed data for your JWT, depending on which side you want to return the data
call the userinfo_endpoint endpoint as per OIDC RFC
use the access token against the helix users endpoint

Mario_Calin_Sanchez · January 3, 2024, 12:22pm

Oh, I see. So in the authorize url I would have to modify the URL to include the query parameter with this json string-encoded?

{
“id_token”: {
“email”: null,
“email_verified”: null
}
}

BarryCarlyon · January 3, 2024, 12:24pm

I tend to roll with

github.com

BarryCarlyon/twitch_misc/blob/main/authentication/oidc_authentication/server.js#L286


      
          req.session.state = crypto.randomBytes(16).toString('base64');
          
          // construct the linking URL
          var login_url = oidc_data.authorization_endpoint
              + '?client_id=' + config.client_id
              + '&redirect_uri=' + encodeURIComponent(config.redirect_uri)
              + '&response_type=code'
              + '&force_verify=true'
              + '&scope=' + oidc_data.scopes_supported.join('+')
              + '&state=' + encodeURIComponent(req.session.state)
              + '&claims=' + JSON.stringify({
                  userinfo: {
                      email:null,
                      email_verified:null,
                      picture:null,
                      preferred_username:null
                  }
              });
          
          console.log('Redirect to', login_url);
          res.redirect(login_url);

and call userinfo.

But you can id_token instead or both

With just email/email_verif it might drop preferred_username so being specific is useful

Mario_Calin_Sanchez · January 3, 2024, 12:24pm

Thanks. I will try it!

Mario_Calin_Sanchez · January 3, 2024, 2:45pm

BarryCarlyon:

userinfo: {
                      email:null,
                      email_verified:null,
                      picture:null,
                      preferred_username:null
                  }

This worked. However it was needed this in order to appear in the idtoken:

idtoken: {
email:null,
email_verified:null,
preferred_username:null
}

BarryCarlyon · January 3, 2024, 2:47pm

Yeah thats what I mean by:

You can define claims to provide the requested data in the JWT (id_token) or on userinfo endpoint with userinfo or both.

system · February 2, 2024, 2:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Email field is missing inside ID token API	4	383	June 30, 2023
No email or email_verified claim in id token API	2	1303	September 5, 2018
Email not returning from user profile API	5	642	January 6, 2023
Typo in e-mail about OIDC authentication change API	2	355	July 31, 2020
Openid connect issues (using Fusionauth) -- scopes are not provided API	5	879	October 25, 2019

Email not included in idToken with scope user_

Related topics